Privacy Policy
Last updated: April 3, 2026
1. Information We Collect
| Data Type | What | Why |
|---|---|---|
| Account Info | Name, email, phone, avatar | Authentication & profile |
| Project Data | Files, code, assets you create | Provide the Service |
| Usage Data | AI message count, token usage | Usage limits & billing |
| Session Data | Device info, IP address | Security & session management |
| Chat History | Messages sent to AI | Context for AI responses |
2. How We Use Your Data
- Provide the Service — host your projects, run AI sessions, deploy websites.
- Authentication — verify your identity, manage sessions.
- Improve the Service — understand usage patterns, fix bugs, develop features.
- Communication — send OTP codes, welcome emails, billing receipts, important updates.
- Security — detect abuse, prevent fraud, rate limiting.
3. Third-Party Services
We use the following third-party services to provide Creft:
| Service | Purpose | Data Shared |
|---|---|---|
| Anthropic (Claude) | AI code generation | Your chat messages & project context |
| Supabase | Database & authentication | Account info, project metadata |
| Cloudflare R2 | File storage & CDN | Project files & backups |
| Resend | Email delivery | Email address, email content |
| Railway | Hosting | Application data |
| Vercel | Website deployment | Project files (when deployed) |
4. Data Storage & Security
- Data is stored in Supabase (PostgreSQL) hosted in Singapore.
- Files are stored on Railway persistent volumes and Cloudflare R2.
- Passwords are hashed using bcrypt (never stored in plain text).
- API keys and tokens are stored as environment variables, not in code.
- All connections use HTTPS/TLS encryption.
5. Data Retention
- Account data — retained until you delete your account.
- Project data — retained until you delete the project.
- Chat history — retained per project session, cleared on "New Chat".
- Session logs — retained for 90 days for security purposes.
6. Your Rights
- Access — view your data via your Profile and project settings.
- Export — download your projects as ZIP files at any time.
- Delete — delete individual projects or your entire account.
- Correct — update your profile information at any time.
7. Cookies
We use essential cookies only:
- morphic_token — authentication session cookie (SameSite=Lax, HTTP-only).
We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
8. Children's Privacy
Creft is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us data, contact us for removal.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of material changes via email or in-app notification.
10. Contact
Questions about privacy? Contact us at privacy@morphic.dev